Is that your entire ruleset? You also need to allow ESTABLISHED,RELATED packets, otherwise only the first packet of the TCP handshake will ever make it through.
–
Ansgar WiechersSep 10 '12 at 17:46

Your description of your network is a bit confusing. The address 192.168.0.2 is not within the 192.168.15.0/24 network. What is the address of the inside interface of the firewall?
–
ZoredacheSep 10 '12 at 18:28

1 Answer
1

First since the destination nat is performed on the PREROUTING you need to make sure you build any of your rules on the filter table using the address after the address translation has been performed. PREROUTING is processes before the FILTER table. So you rule that permits 2200 isn't doing anything useful since since it doesn't have a destination port of 2200 by when it hits the filter table, and instead it has been translated to port 22 by your NAT rule.

The other part I am less certain about since you haven't given a good description of your network. Unless I am miss-understanding your network setup, then I believe 192.168.15.2 is not an address on the firewall. I bring this up since you are trying to add a rule to the INPUT chain. The INPUT chain is used for packets being sent to the firewall system itself, and doesn't get visited when the packets are being routed between interfaces from one network to another. I suspect that you should be adding a rule to the FORWARD chain instead.

For clarification, the network 192.168.15.0/24 is a network I use on that host for virtual machines (KVM). And, the INPUT chain's default action is ACCEPT. Using tcpdump I'm able to see the SSH packet coming on the WAN interface
–
DanielSep 10 '12 at 18:39